The attack surface widens by the day, with new threats being posed by artificial intelligence (AI) and increasingly cunning social engineering exploits. And, while the global cybersecurity workforce has grown to help defend against mounting threats, the gap of required workers remains at an all-time high, according to ISC2’s annual Cybersecurity Workforce Study out today. To adapt to that reality, the nonprofit member association emphasizes, organizations must move beyond legacy practices.
Yes, cybersecurity is a challenging profession requiring certain skills, but those can be taught. Aptitude, attitude, creativity and critical thinking capabilities, on the other hand, cannot. “We need to continue as an industry to open doors,” John France, ISC2’s CISO, told SDxCentral. “We need to be opening the covers on our industry a little more, making us more approachable.” A survey analysis of how network operators are modernizing their metro networks to meet changing network demands.[1]
Cloud skills in high demand - According to the report, the global cybersecurity workforce has reached 5.5 million people, an 8.7% increase over 2022, ultimately representing 440,000 new jobs. Still, 4 million professionals are required to help organizations protect their sensitive and proprietary data. “We’re adding lots of people into the industry,” said France, “but the gap has grown by more than we’re adding. It’s a skills shortage, finding people with the right skills for the right job.”
Of the nearly 15,000 cybersecurity practitioners and decision-makers surveyed by ISC2, a whopping 92% reported skills gaps at their organization, the top three being in cloud computing security, AI and machine learning (ML), and zero-trust implementation. Notably, nearly half (47%) of respondents identified cloud computing as the most sought-after skill for career advancement. “Cloud is really a product of its age,” said France, pointing out that aggressive adoption continues to deepen the threat surface, further exacerbated by monolithic systems being broken down into more complex microservices. “The pool of available talent to address that hasn’t grown at the same rate of adoption,” said France.
Threat landscape worst it’s ever been - Alarmingly, three-quarters of respondents said the threat landscape is the most challenging it has been in the last five years. “The threat surface is worse than it’s ever been, it’s more expansive than it’s ever been,” said France. He pointed to the continued rapid digitalization of everything, noting that, “even if you don’t think you’re a digital business, you are a digital business because you’ve got digital in your supply chain.”
Another factor impacting cybersecurity is global economic uncertainty. More than half (52%) of respondents said they were worried about their teams’ ability to keep their organization secure in the current economic climate.
The survey also cited the following statistics:
47% of respondents experienced cutbacks, which included budget cuts, layoffs and hiring and promotion freezes.
35% faced cuts to cybersecurity training programs.
57% said their response to threats has been inhibited by cutbacks, and 52% have seen an increase in insider risk-related incidents.
31% believe cutbacks will continue into 2024, and 70% expect those cutbacks to include layoffs.
AI on the attack; and to the rescue - AI is impacting every facet of business (and life) and this goes for cybersecurity, as well. In fact, nearly half (45%) of respondents foresee AI as their top challenge over the next two years. For one, the technology has the potential to deepen the threat landscape through more accurate phishing and deepfake campaigns, France pointed out. Also, targeting is more accurate and personalized and the cost of attacks decreases with prevalent AI tools. On the flip side, AI can be used for good, too: The technology has the potential to pick up patterns and anomalies in log files, for one. “The defender could be swimming in log file data,” said France. AI can equip them with “better signals and noise ratio,” homing in on what they need to listen to. “There’s an opportunity for our profession to pick up some elements of AI and use it to improve security stance,” said France. “It can be used by attackers and threat actors, but it can also be used by the industry and defenders.”
Hiring for aptitude and attitude - Encouragingly, organizations are beginning to adapt, according to ISC2. Respondents say their employers are investing in staff training (72%), offering flexible work conditions (69%), funding d iversity, equity and inclusion (DEI) programs (68%), supporting certifications (67%) and expanding teams by recruiting, hiring and onboarding new staff (67%).
France underscored the importance of looking to adjacent industries for talent and actively recruiting workers looking to make a career change and most importantly, committing to training them. “Organizations should hire for aptitude and attitude, not just straight skill,” said France. “We want to attract people with the core capabilities for learning and working in this profession.”
To that point, respondents stressed the importance of problem-solving skills (45%), curiosity and eagerness to learn (39%) and effective communication (38%). “It isn’t just formal training, it’s also rounding an individual out, which is experiential,” said France.
Also, DEI is critical to have a diversity of skills, perspectives and backgrounds. And, France pointed out, entry-level doesn’t mean young, organizations should look beyond the college-leavers demographic to mid or even late-stage career changers.
France did note that for the first time in a long time, industry demographics are widening. Organizations with skills-based hiring have an average of 25.5% women in their workforce, for instance. Still, women represent just 26% of cybersecurity professionals under age 30. Ultimately, France is encouraged: “Anyone that wants to get into cybersecurity, become a cyber pro, now’s the time. There are many more routes than there used to be.”
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.sdxcentral.com/articles/analysis/cybersecurity-workforce-is-growing-fast-but-still-4-million-short/2023/10/
Comments